Covert Channels Through Branch Predictors: a Feasibility Study

Slides:



Advertisements
Similar presentations
Dynamic Thread Assignment on Heterogeneous Multiprocessor Architectures Pree Thiengburanathum Advanced computer architecture Oct 24,
Advertisements

1 Hardware Support for Isolation Krste Asanovic U.C. Berkeley MURI “DHOSA” Site Visit April 28, 2011.
Thread Criticality Predictors for Dynamic Performance, Power, and Resource Management in Chip Multiprocessors Abhishek Bhattacharjee Margaret Martonosi.
PERFORMANCE ANALYSIS OF MULTIPLE THREADS/CORES USING THE ULTRASPARC T1 (NIAGARA) Unique Chips and Systems (UCAS-4) Dimitris Kaseridis & Lizy K. John The.
Trusted Ring: A Security Enhancing Software Architecture Michael DiRossi, Inventor The Johns Hopkins University Applied Physics Laboratory.
Helper Threads via Virtual Multithreading on an experimental Itanium 2 processor platform. Perry H Wang et. Al.
Extensibility, Safety and Performance in the SPIN Operating System Department of Computer Science and Engineering, University of Washington Brian N. Bershad,
Dynamic Warp Formation and Scheduling for Efficient GPU Control Flow Wilson W. L. Fung Ivan Sham George Yuan Tor M. Aamodt Electrical and Computer Engineering.
1 Virtual Private Caches ISCA’07 Kyle J. Nesbit, James Laudon, James E. Smith Presenter: Yan Li.
Parallel/Concurrent Programming on the SGI Altix Conley Read January 25, 2007 UC Riverside, Department of Computer Science.
Performance Analysis of the IXP1200 Network Processor Rajesh Krishna Balan and Urs Hengartner.
Figure 1.1 Interaction between applications and the operating system.
ThreadsThreads operating systems. ThreadsThreads A Thread, or thread of execution, is the sequence of instructions being executed. A process may have.
Copyright Arshi Khan1 System Programming Instructor Arshi Khan.
Case study 2 Android – Mobile OS.
Basics of Operating Systems March 4, 2001 Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard.
Operating Systems Should Manage Accelerators Sankaralingam Panneerselvam Michael M. Swift Computer Sciences Department University of Wisconsin, Madison,
Architecture Basics ECE 454 Computer Systems Programming
ITEC 325 Lecture 29 Memory(6). Review P2 assigned Exam 2 next Friday Demand paging –Page faults –TLB intro.
Meltem Ozsoy*, Caleb Donovick*, Iakov Gorelik*,
9/13/20151 Threads ICS 240: Operating Systems –William Albritton Information and Computer Sciences Department at Leeward Community College –Original slides.
Orchestra: Intrusion Detection Using Parallel Execution and Monitoring of Program Variants in User-Space Babak Salamat, Todd Jackson, Andreas Gal, Michael.
CS533 Concepts of Operating Systems Jonathan Walpole.
Guanhai Wang, Minglu Li and Chuliang Weng Shanghai Jiao Tong University, China. SVM09, Wuhan, China.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
29th ACSAC (December, 2013) SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng, Xiangyu Zhang, and Dongyan.
Processes and Threads Processes have two characteristics: – Resource ownership - process includes a virtual address space to hold the process image – Scheduling/execution.
March 12, 2001 Kperfmon-MP Multiprocessor Kernel Performance Profiling Alex Mirgorodskii Computer Sciences Department University of Wisconsin.
Hyper Threading (HT) and  OPs (Micro-Operations) Department of Computer Science Southern Illinois University Edwardsville Summer, 2015 Dr. Hiroshi Fujinoki.
Srihari Makineni & Ravi Iyer Communications Technology Lab
1 Process Scheduling in Multiprocessor and Multithreaded Systems Matt Davis CS5354/7/2003.
Processes Introduction to Operating Systems: Module 3.
Introduction to Operating Systems and Concurrency.
Multithreaded Programing. Outline Overview of threads Threads Multithreaded Models  Many-to-One  One-to-One  Many-to-Many Thread Libraries  Pthread.
HyperThreading ● Improves processor performance under certain workloads by providing useful work for execution units that would otherwise be idle ● Duplicates.
Protection of Processes Security and privacy of data is challenging currently. Protecting information – Not limited to hardware. – Depends on innovation.
Shouqing Hao Institute of Computing Technology, Chinese Academy of Sciences Processes Scheduling on Heterogeneous Multi-core Architecture.
3/12/2013Computer Engg, IIT(BHU)1 PARALLEL COMPUTERS- 1.
Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK
Embedded Real-Time Systems Processing interrupts Lecturer Department University.
Android Mobile Application Development
Virtualization.
CS 3214 Computer Systems Lecture 9 Godmar Back.
Resource Management IB Computer Science.
Current Generation Hypervisor Type 1 Type 2.
Process Management Process Concept Why only the global variables?
Breakout Session 3 Alex, Mirco, Vojtech, Juraj, Christoph
The Multikernel: A New OS Architecture for Scalable Multicore Systems
Chapter 1: Introduction
TaintART: A Practical Multi-level Information-Flow Tracking System for Android RunTime Sadiq Basha.
Chapter 4: Multithreaded Programming
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR
Xen: The Art of Virtualization
RIC: Relaxed Inclusion Caches for Mitigating LLC Side-Channel Attacks
Final Review CS144 Review Session 9 June 4, 2008 Derrick Isaacson
What is an Operating System?
Threads & multithreading
Hyperthreading Technology
Operating Systems and Systems Programming
Hoda NaghibiJouybari Khaled N. Khasawneh and Nael Abu-Ghazaleh
Chapter 4: Threads.
Coe818 Advanced Computer Architecture
University of California, Riverside
RHMD: Evasion-Resilient Hardware Malware Detectors
Processes and operating systems
Hoda NaghibiJouybari Khaled N. Khasawneh and Nael Abu-Ghazaleh
Hardware Counter Driven On-the-Fly Request Signatures
CS 286 Computer Organization and Architecture
Maria Méndez Real, Vincent Migliore, Vianney Lapotre, Guy Gogniat
Operating Systems Structure
Presentation transcript:

Covert Channels Through Branch Predictors: a Feasibility Study Dmitry Evtyushkin1 Dmitry Ponomarev1 Nael Abu-Ghazaleh2 1State University of New York at Binghamton Department of Computer Science 2University of California at Riverside Department of Computer Science & Engineering Hardware and Architectural Support for Security and Privacy (HASP) June 14, 2015 Portland, OR, USA in conjunction with ISCA 2015 1

Presentation Outline What is covert channel? How can it be used? 2 What is covert channel? How can it be used? Architectural covert channels Branch Predictor in CPU Constructing covert channel through Branch Predictor Results Optimizations Conclusion 2

Covert Channels Data Sharing Mechanisms: Shared Memory Networking 3 Data Sharing Mechanisms: Shared Memory Networking File system IPC etc... 3

Covert Channels Sharing is not desirable: Violates security policy 4 Sharing is not desirable: Violates security policy Information Flow Control (IFC) schemes TaintDroid (OSDI '10) Applications in different Security Domains Covert Channels: Transfer information through channels not intended for information transfer 4

Covert Channel Usage Example 5 Application is isolated or password data is tainted Are passwords secure? $*$&%*&$(*&&@(#& No IPC No File System Access Password Manager No Network Access (Malicious) Passwords are secure as long as OS enforces security policies $*$&%*&$(*&&@(#& Weather Widget Network Access (Malicious) 5

Covert Channel Usage Example 6 Shared resources can be used to construct covert channels: OS resources File descriptors, free space, etc. Network latencies Power and Thermal effects Architectural resources Caches Functional units Branch predictor Other resources Others 6

Contention-based Architectural Covert Channels 7 mul %r1,%r1 mul %r1,%r1 1 Trojan Spy 1 Multiplication Units CPU 7

Branch Prediction Unit 8 Properties that make covert channel possible: During execution branch predictor accumulates state BP is shared among all processes on core BP is not flushed on context switches Parallel threads in SMT share same BP Branch mispredictions have high cost 8

Branch Predictor Operation 9 9

Constructing Covert Channel 10 Not-taken Taken 1 10

Scheduling Trojan and Spy 11 Single Threaded Scenario: Setting affinity mask to run Trojan and Spy on the same core Quanta Q1 Q2 Q3 Q4 Q5 Thread 0 Multi Threaded Scenario (SMT): Setting affinity mask to run Trojan and Spy on parallel virtual cores Quanta Q1 Q2 Q3 Q4 Q5 Thread 0 Thread 1 11

Branch Code 12 br_taken: push %rbp movl $0x1,-0x8(%rbp) cmpl $0x0,-0x8(%rbp) jne .L2 nop .L2: jne .L3 .L3: ...................... Notes: Trojan and Spy execute large number of branch instructions 500K for Trojan 30K for Spy Trojan and Spy execute the similar code Nop instructions to randomize layout 12

Evaluation Platform Real hardware Intel Core i7-4800MQ CPU (Haswell) 13 Real hardware Intel Core i7-4800MQ CPU (Haswell) Ubuntu 14.04.2 generic Linux kernel version 3.16.0-31 13

Results: Single Thread 14 Single Thread, no interference: 14

Signal vs Noise Single Thread, no interference, cpuburn as noise: 15 Single Thread, no interference, cpuburn as noise: High SNR Stable signal Possibly high capacity Asynchronous signal 15

SMT Results 16 Multi Thread, no interference, cpuburn as noise: 16

Realistic example 17 Single Thread, Browser with YouTube as noise/interference 17

Possible optimizations 18 What we present is only a prototype Can transmit multiple bits at once Can make scheduling faster For more accuracy, can reverse-engineer BP to find optimal number of branch instructions/nops 18

Conclusions 19 Branch predictor can be used as an effective covert channel media Covert channel through BP has desirable properties It should be considered when implementing secure systems free of covert and side channels 19

20 Thank you! 20

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.